Implementing SIF¶

This page covers how to produce and consume SIF — from the compiler that generates it to the patterns for feeding it to AI agents.

Producing SIF: The Compiler¶

Salient's twin compiler reads all twin data and outputs SIF at three tiers. The compilation pipeline:

Twin Data (facts, scores, gaps, events, connectors)
    │
    ▼
Aggregation ──► Scoring ──► Compression ──► SIF Output

Step 1: Aggregate¶

Collect all twin data by category — facts grouped by type and confidence, scores by NIST CSF function, gaps by severity and recurrence.

Step 2: Score¶

Compute current maturity scores, trajectory, and delta over time. Identify active contradictions.

Step 3: Compress¶

Apply the SIF schema to produce the target tier:

Tier 1 — ExecutiveTier 2 — StandardTier 3 — Full

@SIF/1.0
@SCHEMA org=organization ind=industry emp=employees it=IT_staff
@SCHEMA mfa=MFA_coverage sso=SSO_applications
@NIST ID=Identify PR=Protect DE=Detect RS=Respond RC=Recover
@SEVERITY C=critical H=high M=medium L=low
@CONFIDENCE V>O>D>U>X

@ORG AcmeCorp ind:MFG emp:250 it:3/MSP risk:moderate
@CTRL ID:65↑ PR:48→ DE:35↑ RS:55↑ RC:42→ | Σ:52↑8/mo
@GAPS.H no-escalation-afterhours(3x,RS.CO) mfa-vpn(2x,PR.AC)
@X ir-plan-age{say:quarterly real:18mo}
@TRAJECTORY 5ex/30d scores:[38,42,45,49,52] Δ:+14/30d

Adds identity posture, tool inventory, facts by confidence, exercise history, compliance scores, and recommendations. ~800 tokens.

Adds evidence chains, source quotes, full gap descriptions, remediation steps, event details. ~3K tokens.

Consuming SIF¶

Reading the Schema Header¶

Every SIF document starts with @SIF/1.0 followed by @SCHEMA lines defining abbreviations. An AI agent reads these definitions and expands abbreviations throughout the document.

# Pseudocode for parsing SIF
def parse_sif(content: str) -> dict:
    lines = content.strip().split("\n")
    schema = {}
    data = {}
    for line in lines:
        if line.startswith("@SCHEMA"):
            # Parse key=value pairs into schema dict
            pairs = line.split()[1:]
            for pair in pairs:
                k, v = pair.split("=")
                schema[k] = v
        elif line.startswith("@"):
            # Parse data sections using schema for expansion
            tag = line.split()[0][1:]
            data[tag] = parse_section(line, schema)
    return {"schema": schema, "data": data}

Feeding SIF to an AI Agent¶

The most common pattern is injecting the compiled twin as system context:

system_prompt = f"""You are a security analyst for this organization.

{compiled_twin_sif}

Answer questions using this organizational context."""

response = client.messages.create(
    model="claude-sonnet-4-20250514",
    system=system_prompt,
    messages=[{"role": "user", "content": "Are we prepared for a supply chain attack?"}]
)

Tier selection

Use Tier 1 when the twin context is supplementary (e.g., during an exercise). Use Tier 2 for dedicated analysis tasks. Use Tier 3 only when deep evidence review is the primary goal.

Example: Querying Against SIF¶

Given Tier 2 SIF in context, an AI agent can answer:

"What is our MFA coverage?" — reads @IDENTITY section
"What NIST CSF function needs the most work?" — reads @CTRL scores
"What contradictions exist in our posture?" — reads @X section
"How has our posture changed this month?" — reads @TRAJECTORY

The schema header ensures the AI correctly expands all abbreviations without prior training on SIF.

Why SIF · SIF Specification